Configure Hashicorp Vault
Create a KongVault CRD and then use the vault:// reference in your plugin configuration
Prerequisites
Kong Konnect
If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.
- The following Konnect items are required to complete this tutorial:
- Personal access token (PAT): Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
-
Set the personal access token as an environment variable:
export KONNECT_TOKEN='YOUR KONNECT TOKEN'Copied!
Create a KIC Control Plane
Use the Konnect API to create a new CLUSTER_TYPE_K8S_INGRESS_CONTROLLER Control Plane:
CONTROL_PLANE_DETAILS=$(curl -X POST "https://us.api.konghq.com/v2/control-planes" \
--no-progress-meter --fail-with-body \
-H "Authorization: Bearer $KONNECT_TOKEN" \
--json '{
"name": "My KIC CP",
"cluster_type": "CLUSTER_TYPE_K8S_INGRESS_CONTROLLER"
}'
)
We’ll need the id and telemetry_endpoint for the values.yaml file later. Save them as environment variables:
CONTROL_PLANE_ID=$(echo $CONTROL_PLANE_DETAILS | jq -r .id)
CONTROL_PLANE_TELEMETRY=$(echo $CONTROL_PLANE_DETAILS | jq -r '.config.telemetry_endpoint | sub("https://";"")')
Create mTLS certificates
Kong Ingress Controller talks to Konnect over a connected secured with TLS certificates.
Generate a new certificate using openssl:
openssl req -new -x509 -nodes -newkey rsa:2048 -subj "/CN=kongdp/C=US" -keyout ./tls.key -out ./tls.crt
The certificate needs to be a single line string to send it to the Konnect API with curl. Use awk to format the certificate:
export CERT=$(awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' tls.crt);
Next, upload the certificate to Konnect:
curl -X POST "https://us.api.konghq.com/v2/control-planes/$CONTROL_PLANE_ID/dp-client-certificates" \
--no-progress-meter --fail-with-body \
-H "Authorization: Bearer $KONNECT_TOKEN" \
--json '{
"cert": "'$CERT'"
}'
Finally, store the certificate in a Kubernetes secret so that Kong Ingress Controller can read it:
kubectl create namespace kong -o yaml --dry-run=client | kubectl apply -f -
kubectl create secret tls konnect-client-tls -n kong --cert=./tls.crt --key=./tls.key
Kong Ingress Controller running (attached to Konnect)
-
Add the Kong Helm charts:
helm repo add kong https://charts.konghq.com helm repo updateCopied! -
Create a
values.yamlfile:cat <<EOF > values.yaml controller: ingressController: image: tag: "3.5" env: feature_gates: "FillIDs=true" konnect: license: enabled: true enabled: true controlPlaneID: "$CONTROL_PLANE_ID" tlsClientCertSecretName: konnect-client-tls apiHostname: "us.kic.api.konghq.com" gateway: image: repository: kong/kong-gateway tag: "3.13" env: konnect_mode: 'on' vitals: "off" cluster_mtls: pki cluster_telemetry_endpoint: "$CONTROL_PLANE_TELEMETRY:443" cluster_telemetry_server_name: "$CONTROL_PLANE_TELEMETRY" cluster_cert: /etc/secrets/konnect-client-tls/tls.crt cluster_cert_key: /etc/secrets/konnect-client-tls/tls.key lua_ssl_trusted_certificate: system proxy_access_log: "off" dns_stale_ttl: "3600" secretVolumes: - konnect-client-tls EOFCopied! -
Install Kong Ingress Controller using Helm:
helm install kong kong/ingress -n kong --create-namespace --values ./values.yaml --waitCopied!
Kong Ingress Controller running (with an Enterprise license)
-
Add the Kong Helm charts:
helm repo add kong https://charts.konghq.com helm repo updateCopied! -
Create a file named
license.jsoncontaining your Kong Gateway Enterprise license and store it in a Kubernetes secret:kubectl create namespace kong --dry-run=client -o yaml | kubectl apply -f - kubectl create secret generic kong-enterprise-license --from-file=license=./license.json -n kongCopied! -
Create a
values.yamlfile:cat <<EOF > values.yaml gateway: image: repository: kong/kong-gateway tag: "3.13" env: LICENSE_DATA: valueFrom: secretKeyRef: name: kong-enterprise-license key: license EOFCopied! -
Install Kong Ingress Controller using Helm:
helm install kong kong/ingress -n kong --create-namespace --values ./values.yaml --waitCopied!
HashiCorp Vault
-
Install Vault in
devmode. This is not recommended for production deployments:helm install vault hashicorp/vault \ --set='server.dev.enabled=true' \ --namespace vault \ --create-namespaceCopied! -
Create a secret in HashiCorp Vault:
kubectl exec -it -n vault vault-0 -- \ vault kv put secret/customer/acme name="ACME Inc."Copied!
Create a KongVault entity
Kong Ingress Controller uses the KongVault entity to configure the connection to a Vault. As we’re running Hashicorp Vault in dev mode, we can use the root token to access the Vault:
echo "
apiVersion: configuration.konghq.com/v1alpha1
kind: KongVault
metadata:
name: hcv-vault
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
spec:
backend: hcv
prefix: hashicorp-vault
description: Storing secrets in HashiCorp Vault
config:
host: vault.vault.svc.cluster.local
token: root
kv: v2
mount: secret
port: 8200
protocol: http
" | kubectl apply -f -
We can now access secrets in this vault using the vault://hashicorp-vault/$KEY syntax. The hashicorp-vault prefix matches the prefix field in the KongVault resource.
Validate your configuration
To validate that the secret was stored correctly in HashiCorp Vault, you can call a secret from your vault using the kong vault get command within the Data Plane Pod.
kubectl exec -n kong -it deployment/kong-gateway -c proxy -- kong vault get {vault://hashicorp-vault/customer/acme/name}
kubectl exec -n kong -it deployment/kong-gateway -c proxy -- kong vault get {vault://hashicorp-vault/customer/acme/name}
If the vault was configured correctly, this command should return the value of the secret. You can use {vault://hashicorp-vault/customer/acme/name} to reference the secret in any referenceable field.
For more information about supported secret types, see What can be stored as a secret.
Cleanup
Uninstall KIC from your cluster
helm uninstall kong -n kong
Uninstall HashiCorp Vault from your cluster
kubectl delete namespace vault